Results 1 to 7 of 7

Thread: Audit data going to syslog

  1. #1

    Default Audit data going to syslog

    I have three machines that I upgraded to Leap 15 and on one of them audit records are going to /var/log/messages but on the other two this is not happening. All three machines have virtually identical configurations and run syslog-ng.

    Can anyone give me a clue as to why one is doing this and not the others. I would like to stop it on the one that is doing it as there is no point in having the audit records in syslog as well.

  2. #2
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,594

    Question Re: Audit data going to syslog

    Looking at a Red Hat question on this theme, the following questions have to be asked:
    1. Is the boot parameter 'audit=1' present in the Grub configuration?
    2. Within '/etc/audisp/plugins.d/syslog.conf' on the 'args' line, is LOG_LOCAL0 present?
    3. Within '/etc/syslog.conf' on the line for "/var/log/messages" is ';local0.none' present among the selectors?

    The Red Hat discussion <https://access.redhat.com/discussions/650853> indicates that:
    • 'audit=1' should not be present in the Grub configuration;
    • '/etc/audisp/plugins.d/syslog.conf' should have the line "args = LOG_LOCAL0";
    • '/etc/syslog.conf' should have ';local0.none' included among the selectors for "/var/log/messages".

  3. #3

    Default Re: Audit data going to syslog

    I've seen these threads. audit=1 is not set in grub and the other lines are not present. But then none of those lines are present on the two machines which are not exhibiting this problem.

  4. #4
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,462
    Blog Entries
    2

    Default Re: Audit data going to syslog

    A possible try is to force re-install syslog-ng.
    Code:
    zypper in -f syslog-ng
    If that doesn't work, then fully uninstall, then re-install syslog-ng.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  5. #5

    Default Re: Audit data going to syslog

    I would still like to know why this is different on one machine but in the end I decided that I don't really need auditing anyway so I've turned it off.

  6. #6
    Join Date
    Feb 2010
    Location
    Germany
    Posts
    2,594

    Default Re: Audit data going to syslog

    Quote Originally Posted by davidlwilcox View Post
    I would still like to know why this is different on one machine
    Possibly due to the default behaviour of syslog-ng on that machine -- you mentioned that, on the other machines you didn't need to explicitly setup the audit behaviour with respect to /var/log/messages -- possibly due to a setup somewhere in /usr/lib/ rather than in /etc/ …

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,462
    Blog Entries
    2

    Default Re: Audit data going to syslog

    Quote Originally Posted by davidlwilcox View Post
    I would still like to know why this is different on one machine but in the end I decided that I don't really need auditing anyway so I've turned it off.
    Computing is still extremely complex under the hood no matter how simplified it might appear to humans.
    My suggestions are based on the idea that re-installation and re-setting what causes the re-direction of syslog data would fix your problem.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •